Exposure of Sensitive Information Due to Incompatible Policies in zoujingli/thinkadmin

Valid

Reported on

Sep 16th 2021

Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept:

please Note that this leads also to a verbose error that shows credentials of the owner .

**Ex :

Link --> https://v6.thinkadmin.top/admin.html#();

**Response:

{ "id": 10000, "usertype": "normal_code", "username": "admin", "password": "21232f297a57a5a743894a0e4a801fc3", "nickname": "\u7cfb\u7edf\u7ba1\u7406\u5458", "headimg": "https:\/\/v6.thinkadmin.top\/upload\/ec\/f571134493e54fe06855c88557052c.png", "authorize": ",,", "contact_qq": "", "contact_mail": "", "contact_phone": "", "login_ip": "58.219.66.224", "login_at": "2021-09-16 22:09:02", "login_num": 5924, "describe": "", "status": 1, "sort": 2, "is_deleted": 0, "create_at": "2015-11-13 15:14:22", "nodes": [] }

Poc Screen -->https://i.ibb.co/27pxPn0/Screenshot-from-2021-09-16-16-20-49.png

Impact

This vulnerability is capable of... claiming other users cookie performing other advanced scenarios . Account takeover is possible in this case .

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立 marked this as fixed with commit 4469f7 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

邹景立

commented 2 years ago

Maintainer

/^#(https?:)?(\/\/|\\\\)/.test(hash)

ranjit-git

commented 2 years ago

Hello @maintainer
Did my report https://huntr.dev/bounties/2449ccab-3377-4086-91c0-c2c8a8169ed8/ different than this report

ranjit-git

commented 2 years ago

My report closed as invalid but same report after 1 day late is marked as valid

0x9x

commented 2 years ago

Researcher

Thanks for your updates ! I hope you fixed everything here . The verbose error is really helpful to understand such errors .

0x9x

commented 2 years ago

Researcher

i confirm that the xss is duplicated . but not the verbose error .

0x9x modified the report

2 years ago

0x9x

commented 2 years ago

Researcher

i hope you can accept the report as another issue . ( Verbose error contains sensitive information )

Jamie Slome

commented 2 years ago

Admin

We will now accept this as a distinct report and will reward the bounties!

0x9x

commented 2 years ago

Researcher

Thanks !

to join this conversation

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立 marked this as fixed with commit 4469f7 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

邹景立

commented 2 years ago

Maintainer

/^#(https?:)?(\/\/|\\\\)/.test(hash)

ranjit-git

commented 2 years ago

Hello @maintainer
Did my report https://huntr.dev/bounties/2449ccab-3377-4086-91c0-c2c8a8169ed8/ different than this report

ranjit-git

commented 2 years ago

My report closed as invalid but same report after 1 day late is marked as valid

0x9x

commented 2 years ago

Researcher

Thanks for your updates ! I hope you fixed everything here . The verbose error is really helpful to understand such errors .

0x9x

commented 2 years ago

Researcher

i confirm that the xss is duplicated . but not the verbose error .

0x9x modified the report

2 years ago

0x9x

commented 2 years ago

Researcher

i hope you can accept the report as another issue . ( Verbose error contains sensitive information )

Jamie Slome

commented 2 years ago

Admin

We will now accept this as a distinct report and will reward the bounties!

0x9x

commented 2 years ago

Researcher

Thanks !

to join this conversation